Securing Your Customer's Cardholder Data

Payment Card Industry Data Security Standard (PCI DSS) is designed to offer merchants a single requirement for sageguarding sensitive data adopted by all card brands. The payment brands, in conjunction with the PCI DSS, require that all merchants (regardless of their size or payment system) that store, process, transmit or have access to cardholder data must comply to protect that data.

• What are the requirements?
• Levels of Requirements
• Validation of Compliance
• Vulnerability Scans

What are the requirements?
The PCI-DSS is comprised into twelve requirements. These requirements cover a full spectrum of topics necessary for data security. They range from removing sensitive card data from your payment terminals to implementing data security policies for your employees to follow.

In conjunction with the twelve requirements, the PCI Security Council has developed the Prioritized Approach, which provides guidance for non-compliant merchants striving to achieve compliance.

Levels of Requirements

Level	Criteria	Requirements
1	Over 6 million Visa or MasterCard transactions in a 12 month period	Onsite Assessment perfomed by QSA Quarterly network scans
2	Between 1 and 6 million Visa or MasterCard transations in a 12 month period	Assessment Questionnaire performed by accredited internal staff or onsite assessment by QSA Quarterly network scans
3	Between 20,000 and 1 million Visa or MasterCard e-commerce transactions in a 12 month period	Self-Assessment Questionnaire (SAQ) Quarterly network scans
4	Less than 20,000 e-commerce or less than 1 million transactions with one card brand in a 12 month period	Self-Assessment Questionnaire (SAQ) Quarterly network scans Submission to acquirer not mandatory

back to top

Validation of Compliance

Your acquirer may require submission of documentation depending on your data security reporting level in order to validate PCI DSS compliance, such as:

• Report on Compliance (ROC)
• Self Assessment Questionnaire (SAQ) and Attestation of Compliance
• "Clean" security vulnerability scan by an Approved Scanning Vendor (ASV)
• Use of a Payment Application Data Security Standard (PA DSS) compliant payment application

back to top

Vulnerability Scans

Why is scanning important? The benefit of having a quarterly network scan is to ensure your payment environment is sealed off to individuals with malicious intent. In addition to safeguarding your customer's cardholder data, performing network scans is a requirement for ongoing PCI DSS compliance.

These scans are non-intrusive tests that involve probing external-facing systems and reporting on the services available through your Internet connection. For a complete list of Approved Scanning Vendors, visit the PCI Security Standards Council website.

For card brand updates on data security, visit the Merchant Support Center